If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

bad things in netlogon file/event log

First off, I'd like to give a "How do ya do?" to the forums. I just found the site and am eagerly awaiting the time that I can delve into the security tutorials available on the boards. I appreciate any comments in re my post...

I came back from vacation and got slammed with work (what else is new..) but eventually made my way to do my pseudo-periodic check of several output files from a script that parses the netlogon log for attempted logons with invalid user names or invalid passwords. I found many, many entries (approx 1-2 per second) that look like this:

Obviously we do not have an account named administrator (it has been renamed). They do not occur each day (nor is there a specific pattern that I can see as to the days/times they do occur) and the attempts to logon last for exactly 20 minutes. Here is what I see in the Security event log at the times that these attempted logons occur:

I am also noticing Sec event log entries on clients that say users are logging onto the clients when there is no activity the user is initiating. They are logon type 3 (Kerberos) and log off after about 10 seconds. This does not occur on all the clients, only a few. I'm not sure if this is related but thought it best to include the info.

I've attached a .txt with the parsed failed logons. You will notice other domain/usernames attempting to logon. Again, I'm not sure they are related.

"Exchange" is a DC that also has a website and exchange 2003 on it. Yes, I know that is a security risk but I inherited the network a few months ago and will not be able to install more servers for a few more months....

Where do I go/what can I do to resolve this?

I appreciate the feedback...

***Edit: The .txt is too large to attach. I can mail it if anyone needs it.

Again, looks like worm or bot activity. Any way to spot the source address of the host sending these requests in? I mean, the domain controller running netmon can capture this information very easily. That is, if it still is happening.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Do you have a server, (or workstation I suppose), called EXCHANGE on the same network? Does it have a user called administrator?

Because that looks a lot like another computer trying to access this particular one rather than someone trying to access it.

I'm guessing that the computer showing these log entries is on the trusted network and so is the computer called EXCHANGE.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

I think what horsie is alluding to with the "bigger issues" is that you likely have something monitoring some of your client workstations (the Kerb logins), probably through a local admin account (not necessarily Administrator) that didn't have a tough enough password. You may have a netcat remote session or mIRC environment running on them to leverage into the rest of the network.

Check that all the services are communicating on the server as they are supposed to. You will need to set up an Ethereal on a hub or on the router so that it can see all the traffic in and out of the network so you can see if the login attempts are coming from outside or inside your network. If they are coming from outside, that is a brute force attack at the administrator account. If it is coming from inside, you may have a compromised workstation that is doing the dirty work. However, there must be some traffic through the network to indicate the remote controller for this activity.

Those systems that are showing the periodic logins may be needing a good safe mode scan to see what is on them.